A prominent proxy adviser urged the ouster of most
Target Corp.
TGT -0.87%
board members for failing to manage risks and protect the company from a massive data breach at the end of last year, a warning to corporate boardrooms to take cybersecurity more seriously.

Institutional Shareholder Services, which advises big shareholders how to vote on corporate ballots, called on Target shareholders to oust seven of the company's 10 directors for not doing enough to ensure Target's systems were fortified against security threats.

The recommendation focused on directors who serve on Target's audit and corporate-responsibility committees, which are tasked with overseeing and managing risk.

"It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders," ISS wrote.

Former Xerox CEO Anne Mulcahy, one of Target's longest-serving directors, is among those who ISS says should be voted off the board.
Bloomberg News

The report puts corporate board members on notice to treat the risks associated with cyberattacks more seriously, particularly directors at retailers which store vast amounts of data like credit card numbers and personal information that cybercriminals seek. Other retailers like Michaels Stores Inc. and Neiman Marcus Group have fallen victim to cyberattacks where credit-card information was compromised.

The ISS move is "raising a red flag about risk oversight that is a growing issue for boards,'' said
Eleanor Bloxham,
a corporate governance consultant in Columbus, Ohio.

Many corporate directors have begun paying greater attention to overseeing risk—such as through the appointment of a chief audit executive who reports directly to the full board, an arrangement that allows the board to get unfiltered information.

Kenneth Daly,
president of the National Association of Corporate Directors, estimates that several hundred U.S. companies now employ a chief audit executive who reports directly to the board. "Five years ago, it was uncommon," Mr. Daly said.

Related

In response to ISS's criticism Wednesday, Target's board said overseeing risk is the responsibility of the entire board and is part of its continuing review of the company's strategy. It said that Target's security measures were "among the best-in-class within the retail industry," adding that it had made significant investments in data security and that its payment systems had been compliant with industry guidelines.

Hackers worked their way into Target's payment network in mid-November, using the credentials of a third-party refrigeration contractor to access the retailer's system. The malware worked for roughly three weeks, scooping up valuable data compromising 40 million credit- and debit-card numbers eventually sold on the black market.

Another proxy advisory firm, Glass, Lewis & Co., took a different stance, saying there wasn't yet enough evidence that the data breach was due to any neglect by Target's board or executives.

ISS called for voting against Target's two longest-serving directors: former
Xerox Corp.
Chief Executive
Anne Mulcahy
and the one-time head of
Fannie Mae
and lead independent director
James Johnson.
Roxanne Austin,
the interim chairman, is another director ISS targeted for defeat.

The firm recommends voting for
Kenneth Salazar,
the former U.S. senator who leads the corporate responsibility committee and joined the board last July, as well as two members who didn't serve on the audit or oversight committees.

The shareholder votes will be counted at Target's annual meeting, scheduled for June 11.

Glass Lewis also advised shareholders to vote against Mr. Johnson and Ms. Mulcahy, but for reasons unrelated to the data breach. The advisory firm took issue with their roles on other boards.

In the case of Mr. Johnson, Glass Lewis also pointed to his role as chairman of Target's compensation committee at a time when lavish pay packages for the retailer's top executives were criticized as being out of sync with the company's poor performance.

This year Target revamped its compensation program to tie pay packages more to the company's performance. It also cut total compensation of
Gregg Steinhafel,
who resigned as chairman and CEO earlier this month, in part for his handling of the data breach.

Both ISS and Glass Lewis agreed on approving a shareholder proposal to separate the roles of chairman and chief executive, a proposal voted down at last year's shareholder meeting. ISS said Target's weak performance and the data breach showed that the dual role of CEO and chairman didn't provide enough oversight of management.

The company has a separate interim CEO as it searches for a new chief. In its latest proxy statement, Target argued against the proposal to separate the two roles, saying its current structure of a lead independent director provides enough oversight.

Target's board wants to have flexibility to determine the proper structure of the board. It hasn't made a decision on whether it will continue with an independent chairman and plans to revisit the leadership structure when it appoints a permanent CEO.